Bug 1823933 - Make default SCC manifests create-only by CVO
Summary: Make default SCC manifests create-only by CVO
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.4
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.5.0
Assignee: Abu Kashem
QA Contact: scheng
URL:
Whiteboard:
Depends On:
Blocks: 1823934
TreeView+ depends on / blocked
 
Reported: 2020-04-14 19:50 UTC by Abu Kashem
Modified: 2020-07-13 17:28 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1823934 (view as bug list)
Environment:
Last Closed: 2020-07-13 17:27:56 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-kube-apiserver-operator pull 831 0 None closed Bug 1823933: Make default SCCs create-only by CVO 2020-11-23 22:41:54 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:28:20 UTC

Description Abu Kashem 2020-04-14 19:50:42 UTC
Description of problem:
In OpenShift 4.4, the default SCCs are managed by CVO. This means any changes to it are stomped by CVO.

We have customers who change the default SCCs for their workload. when a cluster upgrades from 4.3 -> 4.4, user's changes to the default SCCs will be stomped by CVO and customer workload will face outages consequently.
  

Version-Release number of selected component (if applicable):
OpenShift 4.4


How reproducible:
Always

Steps to Reproduce:
1. Install OpenShift 4.3

2. Change the default SCC 
    oc patch scc privileged --type json -p '[{"op": "add", "path": "/users/-", "value": "kubeadmin"}]'
    oc patch scc anyuid --type json -p '[{"op": "add", "path": "/users/-", "value": "kubeadmin"}]'

3. do a 4.3 -> 4.4 upgrade


Actual results:
Changes to the default SCCs will be lost as a result of the upgrade.

Expected results:
The upgrade should retain the changes made by the user

Additional info:
- https://bugzilla.redhat.com/show_bug.cgi?id=1823921

Comment 1 Abu Kashem 2020-04-16 16:45:12 UTC
Waiting for the PR in master - https://github.com/openshift/cluster-kube-apiserver-operator/pull/831 to merge. Then it will be cherry-picked into 4.4.

Comment 4 Abu Kashem 2020-04-17 17:41:59 UTC
once the back port to 4.4 https://github.com/openshift/cluster-kube-apiserver-operator/pull/836 merges I will revert it to ON_QA. I did not know of any other way to convince CI to allow my PR to merge.

Comment 5 Abu Kashem 2020-04-17 19:57:29 UTC
My PR has merged, reverting it back to ON_QA.

Comment 8 errata-xmlrpc 2020-07-13 17:27:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409


Note You need to log in before you can comment on or make changes to this bug.